109 posts categorized "Forensics & Deep Packet Capture" Feed

Analyzing Microsoft IIS Web Logs - Part 2 (by Paul Offord)

Now almost all the streams we analyze are encrypted, how can we see what's inside those pesky SSL/TLS packets. Here's one way.

Bds_iis_log_entry

In the previous video in this series we saw how web logs provide an abundance of information; just the sort of stuff we need to take a performance problem to a developer.  And now we can analyze web logs with Wireshark.

In this video ...

Continue reading "Analyzing Microsoft IIS Web Logs - Part 2 (by Paul Offord)" »


Analyzing Microsoft IIS Web Logs - Part 1 (by Paul Offord)

Wireshark's new TRANSUM plugin provides a great way to identify slow web site and web service transactions, but there's a problem.  More often than not, web traffic is carried in SSL (TLS) encrypted messages, and so, although we can see slow response times, we can't see the detail.  To prove the cause of a slow response time, ideally we want to see the URI, query strings and, in the case of a web service request, the SOAP Action value.

  Ue_iis_log

If we are very lucky, we may be able to get a copy of the private SSL keys and use Wireshark to decrypt the traffic, but what if that's not possible.  The good news is that web logs have much of the information we need, and we can combine this with Wireshark network traces to get a more complete picture.

In this video ...

Continue reading "Analyzing Microsoft IIS Web Logs - Part 1 (by Paul Offord)" »


Using NetworkMiner with a Windows netsh trace File (by Paul Offord)

Before analyzing a network packet trace file, I try to make sure that I've collected information about IP addresses and TCP/UDP port numbers.  Even so, I still find that I don't have all the information I need.  There are techniques you can use to get the missing information - check NBNS host announcements, explore the names resolved by DNS - but it's all just more hassle.

  Networkminer_host_details

Recently I noticed a bit of a buzz around NetworkMiner, so I thought I'd check it out.  What I found was a simple tool that does just what I need; extract useful host and service information from Wireshark traces.  We now analyze a fair number of traces captured with Windows netsh trace, so I thought I'd look at how we can use NetworkMiner with these Windows-native trace files.

In this video ...

Continue reading "Using NetworkMiner with a Windows netsh trace File (by Paul Offord)" »


A Wi-Fi Router as a Witness Device! (by Daniel Arrugueta)

A Wi-Fi Router as a Witness Device

Note: attached is the full document in .pdf format and is awesome reading for forensic investigators!

Download A WiFi Router as a Witness Device Full Document!

Witnesses often are crucial elements in solving and prosecuting criminal or civil violations.  We now regularly use data that various technologies record. Digital witness devices provide a source of largely unbiased and dependable information to the investigator and prosecutor. However, many often ignore or do not even recognize commonly available electronics as potential witness devices.  One such device is the wireless router found in most homes and businesses.

As with any witness, some sort of vetting and consideration is wise. Reliability, bias, memory, physical abilities, etc., all can be factors that play roles in the use of digital witness devices and the use of their data. Whether you consider data from digital cameras, microphones, cell phones, computers, or Wi-Fi (wireless) routers, you should approach each with an open eye and determine clearly what each actually offers to your investigation. Data typically is reliable; how you interpret and present that data is key to its ultimate usefulness. Criminal radiation

Continue reading "A Wi-Fi Router as a Witness Device! (by Daniel Arrugueta)" »


Harvesting Metadata From Network Traffic (by Darragh Delaney)

Harvesting Metadata From Network Traffic

Every day I work on all sorts of modern and cutting edge technologies and I love learning about new stuff. I think I can trace this back to growing up on a farm, there was always something to fix or take apart. In spite of the perception that some people have of the agricultural sector, today's farms rely on huge amounts of technology and data analytics. Here in Ireland the harvest season has come to an end and we are all getting ready for the cooler temperatures of autumn.

Harvester

Harvest machinery has been serviced and parked up for another year including one of my favorites, the combine harvester. I spend hours on YouTube learning about the latest models and what goes on behind the scenes. For centuries they have been a vital cog in the global food chain. The theory behind them is simple, gather raw material up front and pass it through different filters and separators which allows us to extract the valuable grain which we can then use. The basics have remained the same over the years but the size of the machines has increased as we demand more efficiency and larger harvests.

But how, you may ask how is this combine machine connected to metadata and network traffic?

Continue reading "Harvesting Metadata From Network Traffic (by Darragh Delaney)" »


DNS Traffic is always worth watching very closely (by John Brosnan )

DNS Traffic is always worth watching very closely

But it is not a good excuse to forget your anniversary!

While visiting a large ISP type customer here in the Bay area, we started to discuss the value he could get from network traffic analysis. The volumes of traffic on his network are at a scale that he even struggles with summary information like Netflow; he has so much of it, it is almost impossible to get a handle on it and see anything useful – a real big data problem. 

Network Globe_WEB

During our conversation, I mentioned that we have a number of dissectors (or application decoders as we call them) for protocols like SMB, NFS, SQL, web, DNS – ’STOP, what can you tell me about my DNS traffic, as my logs are limited’.  To be honest, I would have thought LANGuardian provided too much detail for his organization, but I guess DNS is a bit different.

Anyhow, I led on to explain that LANGuardian can:

  • Monitor DNS traffic, decode DNS replies
  • Inventory of responding DNS servers
  • Alert on rogue DNS servers
  • Review what resolutions clients receiving
  • Monitor client requests, validate DNS traffic (piggybacking)

To quote a good friend, Tim of #lovemytool ‘John, show me, don’t tell me’

Continue reading "DNS Traffic is always worth watching very closely (by John Brosnan )" »